Apple patching critical SMS vulnerability in iPhone OS

Safari Charlie says that Apple is working on a patch for a serious flaw he …

Security researcher Charlie Miller has revealed that Apple is working on a patch for a security flaw he identified in the iPhone's SMS implementation. The flaw can actually lead to arbitrary code execution, as he explained to Ars last month. Miller hasn't yet detailed the flaw, citing an agreement with Apple, though he and partner Vincenzo Iozzo plan to detail their discovery later this month at the Black Hat Security Conference in Las Vegas.

During a presentation at the SyScan security conference in Singapore, Miller explained that a vulnerability in the iPhone's handling of SMS messages makes it possible to send code instead of strictly text. Despite SMS's 140 byte size limitation, the iPhone can reassemble larger messages that are broken up to fit the limitation, which allows larger programs to be sent. The iPhone can be instructed to execute SMS data as code instead of text, and when it executes the code it does so with root privileges and without any interaction from the user.

This vulnerability makes it possible to then turn off the signed code checks built in to iPhone OS and load unsigned libraries. That basically allows an attacker to load a complete shell environment and have complete control over the device, including access to any data stored on it. Miller told Ars last month that he didn't know if the vulnerability still existed in iPhone OS 3.0, though the fact that Apple is working on a patch—and already has iPhone OS 3.1 in beta—suggests it still exists in the latest version, despite Apple patching 46 other potential security issues in the update.

Miller has noted on numerous occasions that iPhone OS actually has pretty good security. The code signing requirements and individual application sandboxes provide a relatively secure environment, which is the reason that they haven't yet been targeted by hackers. Miller also noted during his SyScan presentation that a side effect of jailbreaking an iPhone or iPod touch is that it removes most—about 80 percent—of these protections, and cautioned that users concerned about security should avoid jailbreaking.

Apple is expected to have a fix for the SMS issue released sometime this month before Miller and Iozzo present at the Black Hat Conference, which kicks off July 25. It's not known if the patch will come in the form of iPhone OS 3.1 or a separate 3.0.x point release.